A divestiture may involve the sale of part of the assets of a divesting company to a buyer. A divestiture, for example, of less than all of the assets of a selling entity to a buying entity, such as a buying company, requires a quick transition of the divested assets to the buying entity. Generally, such assets may include IT and intellectual property (IP) assets, data, and various systems that may have been accumulated in the divesting company and become commingled internally over many years. Typically, such a transaction may include a transition services agreement (TSA) that becomes effective after the transaction closes. The TSA may be defined as a contractual agreement that formally documents the duration of a transition period and the services that are to be provided by the divesting entity to the buying entity as part of that agreement.
The closing may be followed by what may be characterized as legal day one (LD1), on and after which the buying entity officially owns the divested assets. The TSA may be effective from LD1, which may be the day after the close of the sale. Nevertheless, the divested assets may still be under the management control of the divesting entity after LD1. Under the terms of the transaction and the TSA, the buying entity and the divesting entity may agree on a period of time for the transition to be completed, which may extend over a period ranging from one month or less to several months or years.
A divestiture may include, for example, personnel, branches, network infrastructure, desktops, applications, intellectual property, servers, applications, and/or telephones. In the divestiture, the TSA is likely to be the only governing document for protecting the selling entity if there is a loss or compromise of confidential data either accidently or deliberately. Reliance solely on the TSA means that any actions taken must be taken after the fact and without the benefit of systematic proactive steps to reduce the likelihood of data leakage or data compromise. Such data leakage or compromise may involve, for example, loss or compromise of different categories of data, such as, public information, internal information, confidential information or personally identifiable information (PII).
In a typical divestiture, there is a direct conflict of interest between the buying entity and the selling entity. Once the assets are paid for, the buyer may wish to have immediate control of the newly acquired assets. However, the seller may want to protect itself because it may have core data and intellectual property that was not sold and is not part of the divestiture. Thus, the selling entity may want to ensure that the buyer is not able to access core data and intellectual property that the seller still owns. Therefore, the seller desires to complete the transition securely and minimize avenues for accidental or deliberate data losses. In an ideal world, all divested assets would be separated before LD1, but that is not often possible.
Although the buyer may own the divested IT assets following LD1, management of the divested assets may still need to be under the divesting entity's control. In most cases, since the divested assets, particularly IT assets, are co-mingled with non-divested assets, handover and transition of the divested assets is complicated due to inherent conflicts of interests. Since the divested IT assets are co-mingled with non-divested IT assets within the entity, there is a current need for a systematic and controlled method for transitioning, separating and migrating the divested assets.
Another issue in a divestiture may be the identification of divested personnel during the transition phase. For example, clients, vendors, or others who deal with the divesting entity may not be aware that certain persons have been divested and may unknowingly provide confidential information meant for the divesting company to divested personnel. There is a present need for the divesting company to protect its assets, and also for the buyer to be able to take possession of the assets as quickly as possible. There is a further need for methods and systems to separate the IT assets, including the people, between the divesting entity and the buying entity. There is still a further need for methods, designs and processes that utilize multiple layers of security controls that work together to reduce data leakage by divested workers during and after a divestiture.